CVE-2022-28799

Published: Jun 2, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Affected (1)

Products: Tiktok: Tiktok

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tiktok Tiktok	Before 23.7.3

Related CWEs

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References (6)

https://github.com/Ch0pin/security-advisories/security/advisories/GHSA-v39p-88q5-5cvr

Source: cve@mitre.org

Third Party Advisory

https://hackerone.com/reports/1500614

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://support.tiktok.com/en/safety-hc/reporting-security-vulnerabilities/reporting-the-security-vulnerabilities

Source: cve@mitre.org

Third Party Advisory

https://github.com/Ch0pin/security-advisories/security/advisories/GHSA-v39p-88q5-5cvr

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://hackerone.com/reports/1500614

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://support.tiktok.com/en/safety-hc/reporting-security-vulnerabilities/reporting-the-security-vulnerabilities

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.